b'U.S. CONSUMER PRODUCT SAFETY COMMISSION\n\n\n\n\nOFFICE OF THE INSPECTOR GENERAL\n\n\n\n FEDERAL INFORMATION SECURITY\n      MANAGEMENT ACT\n               REPORT\n\n\n     Issued:   November 15, 2012\n\x0c\x0c                     Federal Information Security Management Act Report\n                                       Table of Contents\n\n                                                                          Page\nEXECUTIVE SUMMARY                                                         2\nOffice of the Inspector General\xe2\x80\x99s Results\n\nINTRODUCTION                                                              5\n\nBackground                                                                5\nObjective                                                                 6\nScope and Methodology                                                     6\n\nRESULTS OF EVALUATION                                                     8\n\nPrior Findings, Recommendations, and Actions Taken\n        Security Management Controls                                      8\n        Security Operational Controls                                     22\n        Security Technical Controls                                       32\n\n\nMANANGEMENT RESPONSE                                                      40\n\n\n\n\n                                                                                 1\n\x0cOffice of the Inspector General\nU.S. Consumer Product Safety Commission\nWashington, D.C. 20207\n\n                FEDERAL INFORMATION MANAGEMENT ACT REPORT\n\n                                   EXECUTIVE SUMMARY\n\n\nOffice of the Inspector General\'s Results\n\n        To meet the requirements of the Government Information Security Reform Act (GISRA),\nand its successor, the Federal Information Security Management Act (FISMA), the Consumer\nProduct Safety Commission\'s (CPSC) Office of the Inspector General (OIG) contracted with\nGrant Thornton, LLP to perform an independent audit of the CPSC\'s automated information\nsecurity control procedures and practices in Fiscal Year (FY) 2001. The audit included tests of\nentity-wide controls and six of the CPSC\'s 49 application systems and their underlying elements.\nGrant Thornton used the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800XX, Draft Self-Assessment Guide for Information Technology Systems,\nMarch 9, 2001 to test security controls. The results of the Audit of Automated Information\nSystem Security, August 16, 2001, and the annual follow-ups to it, in conjunction with the\nindependent reviews required by FISMA and audits with information technology aspects (CFO\nAct Audit, etc.), served as the basis for the OIG\'s Fiscal Year 2012 evaluation. The OIG\nconducted this review in accordance with the Quality Standards for Inspections issued by the\nCouncil of Inspectors General on Integrity and Efficiency\xe2\x80\x99s (CIGIE) Inspection and Evaluation\nCommittee and not the Generally Accepted Government Audit Standards (GAGAS) standards\nissued by the GAO.\n\n        This year\xe2\x80\x99s FISMA evaluation found that, although much work remains, management has\nmade substantial progress in implementing the FISMA requirements. CPSC\xe2\x80\x99s General Support\nSystem (GSS LAN) regained its security accreditation on October 1, 2012, and the Consumer\nProduct Safety Risk Management System (CPSRMS) has completed the security accreditation\nprocess, and retained its security accreditation. Management successfully mitigated or\nsubstantially reduced the risks associated with the three high-risk security weaknesses that\nprevented the GSS LAN from obtaining an Authorization to Operate (ATO) in FY 11. Multi-\nfactor authentication to access the Virtual Private Network (VPN) is now systematically required\nfor a substantial majority of the CPSC users, management drafted an Information System\nContingency Plan (ISCP) for the GSS LAN, and management has documented and implemented\nbaseline security configurations for many of the key agency software components.\n\n       Although much has been accomplished, much remains to be done. The OIG noted that\nmanagement has not had an independent security assessment performed for the International\nTrade Data System Risk Assessment Methodology (ITDSRAM) application, nor updated and\napproved its security documentation, nor accepted the risk with operating the application in FY\n12. Management also has not fully implemented the NIST SP 800-37 Risk Management\nFramework. Management has not accredited the following major CPSC applications: PRISM,\n\n                                                                                                  2\n\x0cFOIAExpress, and Integrated Field System (IFS). Management has not performed an assessment\nto identify all major agency applications; it is particularly important that management assess the\napplications associated with the Office of Epidemiology because of the potential of these\napplications containing Personally Identifiable Information. The OIG also noted 65 findings (12\nhigh risk) in this year\xe2\x80\x99s review; please see below for additional details. The IT challenges facing\nthe agency are particularly relevant at the present time, as the agency deals with both the\nimplementation of the Consumer Product Safety Improvement Act (CPSIA) in general, and with\nthe CPSIA\'s specific impacts on the agency\'s IT operations.\n\n        The general theme of the findings is a lack of quality system reporting, in addition to, a\nlack of auditable evidence documenting the control activities performed by the resources\nresponsible for the reviewed processes. These deficiencies, at least in part, resulted from a lack\nof adequate and up-to-date policies and procedures. Also contributing to the deficiencies\nidentified was the lack of resources dedicated to implementing and enforcing the agency\xe2\x80\x99s\ndocumented policies and procedures throughout the Fiscal Year. Although management has\nupdated many of the agency\xe2\x80\x99s IT security policies and improved several of their procedures,\nmany improvements are still required. In addition, management did not disseminate these\npolicies to all of the resources identified with key procedural responsibilities.\n\n         The agency\xe2\x80\x99s system monitoring and reporting capabilities have substantially improved\nsince FY 10. Management implemented several new tools in FY 11, and implemented a new IPS\n(Intrusion Prevention System) in FY 12. Although management has not fully optimized these\ntools, the system reporting possible now is far greater that it was a year ago and management has\nshown a commitment to continuing to improve the agency\xe2\x80\x99s system reporting capabilities.\nManagement has also assigned an IT Security Specialist to the operations team to assist in the\nimplementation and optimization of these tools.\n\n         Management has developed remediation strategies to address the known vulnerabilities,\nwith a priority placed on the highest risk issues. The CPSC is in the process of remediating these\nissues. However, the full mitigation of these risks will require a significant amount of additional\neffort. For example, although the agency has still not fully implemented an effective Incident\nResponse program, the CPSC has taken steps to remediate this issue. These steps include the\nestablishment of a Computer Security Incident Response Team (CSIRT) to manage incidents.\nManagement also began to draft detailed Standard Operating Procedures incident response\nprocess, and management began to optimize the agency tool set to allow for the automatic\nidentification and correlation of incidents.\n\n         Another example of a remediation activity undertaken by CPSC management to eliminate\nexisting vulnerabilities and improve overall system security is the continued improvement of the\nContinuous Monitoring Process. Although management has not fully implemented the\nContinuous Monitoring Plan, the security team is now providing monthly reports to senior\nmanagement outlining the known risks to agency IT resources. This process will continue to\nimprove as management optimizes its current tool set and improves system reporting. An\neffective Continuous Monitoring Process, once implemented, will result in the remediation of\nseveral other vulnerabilities, simply due to the improvements required in system reporting to\nfacilitate the Continuous Monitoring strategy. The improvement in system reporting, in addition\n\n                                                                                                     3\n\x0cto the resulting analysis made possible by the enhanced reporting, will allow management to\nidentify, quantify, and remediate weaknesses in other processes (such as Remote Access\ngovernance, Identity Management, and Security Incident Reporting) much more efficiently and\neffectively than is currently possible. This, in addition to the harmonizing of processes required\nfor reporting, will result in a significant improvement in the overall system security.\n\n\n\n\n                                                                                                     4\n\x0c          FEDERAL INFORMATION SECURITY MANAGEMENT ACT REPORT\n\n                                        INTRODUCTION\n\nBackground: On October 30, 2000, the President signed into law the Fiscal Year (FY) 2001\nNational Defense Authorization Act, which included Title X, Subtitle G, the Government\nInformation Security Reform Act (GISRA). On December 17 2002, GISRA was superseded\nwhen the President signed into law the Electronic Government Act. Title III of this Act, the\nFederal Information Security Management Act (FISMA) along with Office of Managament and\nBudget (OMB) policy, lays out a framework for annual IT security reviews, reporting and\nremediation planning. FISMA seeks to ensure proper management and security for information\nresources supporting Federal operations and assets. The Act requires Inspectors General to\nperform an annual independent evaluation of their agencies\' information systems security\nprograms and practices.\n\nTo establish a baseline to help it meet the requirements outlined above, the CPSC\'s Office of the\nInspector General (OIG) performed an independent review of the CPSC\'s automated information\nsecurity control procedures and practices in FY 12. The requirements of the review included:\n\n-Evaluating and testing the internal controls defined in the 2012 FISMA metrics (provided by\nOMB).\n\n-Testing the effectiveness of the information security controls defined in the 2012 FISMA\nmetrics on all the CPSC\xe2\x80\x99s accredited, or previously accredited systems.\n\n-Assessing whether the CPSC\'s information security policies, procedures, and practices comply\nwith the Federal laws, regulations, and policies outlined in the 2012 FISMA metrics.\n\n-Recommending improvements, where necessary, in security record keeping, internal security\ncontrols, and system security.\n\n-Identifying the degree of risk associated with identified internal security controls weaknesses.\n\nThe review included tests of the entity-wide, system specific, and hybrid controls for the GSS\nLAN, CPSRMS, and ITDSRAM applications, as defined in the 2012 FISMA metrics. The OIG\nused the NIST and OMB guidance referred to in the 2012 FISMA metrics to assess the design\nand effectiveness of the CPSC security controls. The objective of the review was to determine\nwhether the CPSC\'s automated information system was adequately safeguarded.\n\nIn its report, the OIG identified security weaknesses in the CPSC\'s management, operational, and\ntechnical controls policies, procedures, and practices. The conditions of these controls could\npermit the modification or destruction of data, disclosure of sensitive information, or denial of\nservices to users who require the information to support the mission of the CPSC. In addition, as\npreviously reported in 2010 and 2011, the CPSC again did not have a capital budget for IT\n\n\n                                                                                                    5\n\x0csecurity in 2012. Without appropriate capital budget planning, management may not have the\nability to properly implement and maintain resources to ensure system safeguards.\n\nTo ensure proper coverage and mitigation of the risks identified by the OMB, the CPSC is\nrequired to perform its own testing procedures to assess the design and implementation of the\nOMB defined FISMA requirements. The CPSC OIG reviewed the 2012 GSS LAN and\nCPSRMS Security Assessment Plans (SAPs), and System Security Plan (SSPs), Security\nAssessment Reports (SARs), as well as the ITDSRAM SSP. Management did not contract an\nindependent review of security controls in 2012 nor did they develop a SAR or associated Risk\nAssessment for the ITDSRAM solution. Therefore, the OIG could not review these documents.\n\nObjective: In compliance with FISMA, to perform an annual independent evaluation of the\ninformation security program and practices of the agency, in order to determine the\neffectiveness of such program and practices.\n\nScope and Methodology: The OIG conducted this evaluation from August to October of 2012.\nThis evaluation consisted of a review of the following defined agency processes within the\nboundaries of the GSS LAN, CPSRMS and ITDSRAM applications:\n\n   - Risk Management\n\n   - Configuration Management\n\n   - Incident Response and Reporting\n\n   - Security Training\n\n   - The Plan of Actions and Milestones (POAM)\n\n   - Remote Access Management\n\n   - Identity and Access Management\n\n   - Continuous Monitoring Management\n\n   - Contingency Planning\n\n   - Contractor Systems\n\n   - Security Capital Planning\n\n   This evaluation constitutes both a follow-up of the findings and recommendations resulting\nfrom earlier audits, and a review of the CPSC\'s implementation of the IT security criteria as\ncurrently defined by FISMA. However, this year\xe2\x80\x99s evaluation does not consider the status of the\nCPSC Data Privacy Program, as current OMB guidance again this year does not require this\nreporting by the OIG.\n\n\n                                                                                                6\n\x0c   The statuses of each of these topics were reviewed and discussed with the Chief Information\nOfficer, Director of Information Technology and Technical Services, Information Systems\nSecurity Officer, and relevant members of their staffs. Documentation developed by both the\nCPSC officials and contractor personnel was reviewed as necessary.\n   The OIG conducted this evaluation in accordance with the Quality Standards for Inspections\nissued by the Council of Inspectors General on Integrity and Efficiency\xe2\x80\x99s (CIGIE) Inspection and\nEvaluation Committee and not the GAGAS standards issued by the GAO.\n\n\n\n\n                                                                                              7\n\x0c                                 RESULTS OF EVALUATION\n\nPrior Findings, Recommendations and Actions Taken: The FY 2001 audit of the CPSC\'s\ninformation security program revealed several material weaknesses in the CPSC\'s security\npolicies, procedures, and practices. Specifically, the CPSC management had not implemented\nsufficient management, operational, and technical controls. All previously identified material\nweaknesses have now been corrected. However, due to a combination of budget limitations and\nthe new security system requirements promulgated by NIST and OMB, the CPSC failed to\naccomplish all of the new security requirements by their implementation target dates. All\nrecommendations are considered open until all of the underlying weaknesses have been\ncorrected. A summary of Prior Findings, Recommendations, and Actions Taken follows:\n\n1. Security Management Controls\n\n  Prior Finding: Security management controls are enterprise-wide procedures for managing\nand assessing the risks and security controls of a system over its life cycle. Because CPSC\nmanagement had not implemented sufficient management controls in the areas of risk\nmanagement, review of security controls, life cycle management, authorized processing, and\nsystem security planning, the techniques and concerns that are normally addressed by\nmanagement were not fully implemented. OMB Circular A-130, Appendix III requires sufficient\nmanagement controls in these areas. This condition appears to have been due to the CPSC\nmanagement not having the resources necessary to make the implementation of Security\nManagement controls a priority.\n\n  Prior Recommendation: CPSC management should implement sufficient management\ncontrols in the areas of risk management, review of security controls, life cycle management,\nauthorized processing, and system planning in order to ensure efficient and effective\nmanagement of the IT system and its inherent risk.\n\n   Actions Taken: Management has made significant progress since 2001 to address this issue,\nalthough gaps remain. Management hired an Information System Security Officer to oversee IT\nsecurity. Management developed a SDLC plan and a Business Continuity Plan in FY 03.\nManagement also developed an Information System Security Plan (SSP) for the CPSC\xe2\x80\x99s General\nSupport System (GSS LAN) in FY 03. This adequately remediated all previous material\nweaknesses and allowed the GSS LAN to obtain a full ATO in FY 04. Management is currently\nin the process of hiring another Information Systems Security Officer to assist with the oversight\nof IT security. The agency has also developed an SSP for each of the accredited major\napplications (CPSRMS and ITDSRAM) in addition to the GSS LAN. The agency contracted\noutside consultancies to perform independent security control assessments each year for the GSS\nLAN since NIST enacted the requirement in 2006, except for Fiscal Years 2006, 2009, and 2011.\nThe agency has also developed and formalized, although not fully implemented, a policy and\nprocedure for establishing a certification and accreditation process, which generally conforms to\nNIST Framework.\n\n\n\n\n                                                                                                8\n\x0c  In FY 05, in accordance with OMB guidance, the CPSC began using NIST SP 800-26 to\nperform agency security self-assessments, and began implementing new system configuration\npolicies. Efforts continue to this day to bring the CPSC into full compliance with all other\nFISMA and OMB requirements.\n\n  In FY 06, new security system requirements previously promulgated by NIST and OMB\nbecame mandatory. In order to retain accreditation and certification of their information\nsystems, the CPSC was required to have its security controls independently tested and evaluated\nannually. Due to funding limitations, management did not do this in FY 06.\n\n   In order to meet the accreditation and certifications requirements outlined above, and to\ndetermine whether management correctly and effectively implemented the security controls\nidentified for the GSS LAN in the SSP, during FY 07 the Office of Inspector General conducted\na Security Test and Evaluation (STE Evaluation) in accordance with NIST SP 800-53. The STE\nEvaluation identified sixty-three (63) vulnerabilities for the CPSC General Support System. Of\nthese, six were found to be high-risk vulnerabilities, 31 were found to be medium risk\nvulnerabilities, and 26 were found to be low risk vulnerabilities. The STE Evaluation Report\nincluded a planned mitigation with an associated due date for each vulnerability identified.\n\n  In FY 08, the CPSC regained system certification. Management accomplished this after the\nmitigation of the six high-risk vulnerabilities found in the STE Evaluation and the successful\napproval and testing of the CPSC\'s IT Contingency Plan.\n\n   In FY 09, a fundamental problem with the CPSC\'s Plan of Action and Milestones (POAM)\nwas found. OMB has determined that agency POAMs must reflect known security weaknesses\nwithin an agency and, ". . . shall be used by the agency, major components, and program\nofficials, and the IG as the authoritative agency management mechanism to prioritize, track, and\nmanage all agency efforts to close security performance gaps." Although management had made\nchanges in 2009 to help the agency address this shortcoming, the agency has not historically used\na POAM as an affirmative management tool in addressing security weaknesses. Although it had\nhistorically done a good job of documenting known security weaknesses and prioritizing them,\nthe agency had not used a POAM to either track or project the resources required or milestones\nnecessary to address these weaknesses (as required by the OMB). As a result, the agency lacked\nhistorical data regarding its past efforts and failed to take advantage of a powerful planning tool\nin addressing current and future IT security challenges. Moreover, as of the conclusion of the\nFY 12 FISMA review, management still had not adequately implemented the POAM.\nManagement did not document milestones and milestone dates for each of the known security\nweaknesses. Also, management did not reference the related capital investments for each of the\nsecurity weaknesses identified in the POAM.\n\n  Our FY 09 review determined that the GSS LAN had maintained its certification and\naccreditation and that the system\xe2\x80\x99s security controls were, in the opinion of management, tested\nand reviewed in-so far as the agency continuously monitored the system. However, management\nhad not updated or adequately tested the Contingency Plan in 2009, 2010, or 2011. Due to\nchanges to the agency operating environment since the drafting of this plan, management\ndecided that a new Information System Continuity Plan was necessary. To address this issue,\n\n                                                                                                  9\n\x0cmanagement contracted an outside consultancy, Evoke, in FY 11 to draft Information System\nContingency Plans (ISCP) for the GSS LAN and selected applications. Although management\ndid not perform a functional test, as NIST requires, management performed a tabletop test of the\nGSS LAN ISCP, and documented the after-actions plans of the ISCP in November 2011. Now\nthat management has drafted the GSS LAN ISCP, the agency is planning to complete a Business\nImpact Analysis, establish an alternative processing site, and develop a Continuity of Operations\nPlan (COOP).\n\n   In FY 10, the CPSC contracted an outside vendor to perform and document the annual GSS\nLAN Risk Assessment, Security Test and Evaluation (ST&E), and Security Assessment Report\n(SAR), as well as to develop the SSP and to define a Continuous Monitoring process. This\nallowed the CPSC to identify risks, define compensating controls and outline remediation\nactions. The agency extended this contract in 2011 and 2012, and increased its scope to include\nthe CPSRMS application. CPSRMS and ITDSRAM both obtained their security accreditation\nbased on an independent security review of NIST requirements. CPSRMS obtained its\naccreditation in FY 11, and management reauthorized its security accreditation on October 3,\n2012. ITDSRAM obtained its accreditation in FY 11. However, in FY 12, management did not\nhave the ITSRAM application independently assessed for compliance with NIST requirements\nand did not formally reauthorize its security accreditation.\n\n   Also in FY 10 the Certification and Accreditation (C&A) policy did not define objective,\nmeasurable criteria that management could use to justify the certification and accreditation,\nrecertification and reaccreditation, or conversely, decertification of an in-scope system. As of\nthe FY 12 review, management still had not updated the policy. Furthermore, although the C&A\npolicy addressed a process to continuously track changes to information systems that may\nnecessitate reassessment of control effectiveness as defined by SP 800-37, management has not\nimplemented a process to perform the security impact analyses necessary to perform these tasks.\n\nRisk Management Review:\n\n   Management has not fully developed and implemented Risk Management Policies and\nprocedures. The agency\'s current policies and procedures do not include key elements related to\nthe risk management process, and management has not reviewed/updated these policies and\nprocedures in FY 2012. The policies do not include how entities coordinate amongst themselves\nto perform critical risk management tasks (e.g., how entities determine the risk to business\nprocesses or the organization as a whole). The risk management policies do not require that\nagency officials review and update these policies periodically, nor do they define how often the\npolicies and procedures must be reviewed/updated. Moreover, management has not codified the\nfrequency with which management has to disseminate the policies and procedures to resources\nwith key responsibilities.\n\n   Furthermore, the C&A policies do not address the creation of the Risk Executive (function)\nrole or another governing body required to provide oversight to the risk management process.\nWithout these functions in place, and their roles clearly defined and established, the\norganizational perspective of risk may be lost. Moreover, although the C&A policy requires the\nagency to create a Risk Management Strategy, and the policy outlines what is typically included\n\n                                                                                               10\n\x0cin a Risk Management Strategy (the tools and procedures used to assess risk within the agency,\nhow management prioritizes risks, how management monitors risk, and Organizational Risk\nTolerance, etc.), this policy does not define what management must include in the agency\'s Risk\nManagement Strategy, or the procedures for developing that strategy.\n\n   Management has not developed an Enterprise Architecture (EA) or integrated EA into the\nagency\'s risk management process. Management has also not developed an organizational risk\nmanagement strategy. The process in place to define and accept risk when authorizing a system\nto operate is inadequate. Management has not included guidance in any of the agency policies\nand procedures to ensure existing risks are within the organizational risk tolerance. Without\nindependent criteria, such as the organizational risk tolerance, to provide guidance on what the\norganization consider an acceptable risk, management cannot adequately justify the decision to\nauthorize a system to operate.\n\n   Management does not update security documents (the SSPs, SARs and Risk Assessments)\nthroughout the year to provide an up-to-date view of the information systems\xe2\x80\x99 security posture\nand to provide a method of continuously monitoring those postures. Instead, management only\nupdates these documents annually. In addition, management does not fully satisfy the OMB and\nNIST risk management documentation requirements. Management did not develop periodic\nsecurity status reports to document the assessment of control effectiveness and changes to the\nITDSRAM application, and present these reports to the Authorizing Official, Risk Executive\n(function) and Information System owner as required by NIST SP 800-37. In addition,\nmanagement did not have an independent annual security control assessment performed, and an\naccompanying SAR developed, as required by the C&A policy for the ITDSRAM application in\nFY 12. Management also did not update the ITDSRAM SSP and Risk Assessment to include the\nresults of the security control assessment, in FY 12.\n\nRisk Management Recommendations:\n\n        1) The agency should develop and implement standalone Risk Management policies and\nprocedures, or, update and implement the C&A policy and ensure it includes the following\nadditional components:\n        a) The requirement for management to implement a governance structure to manage risk\nfrom an organizational, mission and solution level. [e.g., the Risk Executive (function) and\nrelated governance bodies (Executive Risk Council)]. This policy should also include the roles\nand responsibilities for each resource involved within the governance of the risk management\nprocess.\n        b) What management must include in the agency\'s Risk Management Strategy (e.g.,\ntools and procedures used by the Agency to assess risk, the process by which management\nprioritizes risk, how management defines organizational risk tolerance and measures against that\norganizational risk tolerance, and how management plans to monitor risk throughout the year).\n        c) The process by which management integrates the Enterprise Architecture into the risk\nmanagement process.\n        d) The process by which decisions at the business process and solutions level are guided\nby the impact to the organization. This process should include the creation of an Executive Risk\nCouncil and the integration of EA into the risk management process.\n\n                                                                                              11\n\x0c        e) A requirement that management bases the authorization decision for an information\nsystem on the defined organizational risk tolerance.\n        f) The process by which the organizational entities coordinate with each other to address\nthe requirements of the related policies and procedures.\n        g) A requirement for the periodic review and updating of information security policies\nand procedures.\n        h) The frequency with which the organization reviews/updates the policies and\nprocedures.\n        i) The frequency with which the organization disseminates formal documented\nprocedures to elements within the organization having associated roles and responsibilities.\n        j) A distribution list and a requirement that management distribute the policies to all\nresources with key responsibilities outlined in the policies or procedures.\n\n        2) Develop and document a robust risk management process lead by a Risk Executive\n(function). The Risk Executive (function) should report to a governing board that includes\nsenior management. Management should also develop and implement a Risk Management\nStrategy using the NIST SP 800-37 guidance. The organization-wide Risk Management Strategy\nshould include:\n        a) the techniques and methodologies the organization plans to employ to assess\ninformation system related security risks and other types of risk of concern to the organization;\n        b) the methods and procedures the organization plans to use to evaluate the significance\nof the risks identified during the risk assessment;\n        c) the types and extent of risk mitigation measures the organization plans to employ to\naddress identified risks;\n        d) the level of risk the organization plans to accept (i.e., risk tolerance);\n        e) the methods and techniques the organization plans to use to monitor risk on an\nongoing basis given the inevitable changes to organizational information systems and their\nenvironments of operation; and\n        f) the degree and type of oversight the organization plans to use to ensure that\nmanagement is effectively implementing the risk management strategy.\n\n       3) Management should include a summary of the agency\'s hardware and software\ninventory, non-compliance with all agency configuration baselines, missing patches, and all\nknown server vulnerabilities in the monthly Security Status Reports.\n\n        4) Management should update the CPSC SSPs, SARs, Risk Assessments, and POAMs\neach time the agency makes a change with a security impact to a system. Management should\nregularly update the SSPs, and the SSPs should act as "living documents\xe2\x80\x9d that represents the\nmost up-to-date security information related to the CPSC systems.\n\n       5) Management should have an independent assessment of the ITDSRAM security\ncontrols performed and management should document the results of this assessment in a SAR.\n\n        6) Management should update the ITDSRAM SSP to reflect the current security posture\nof the ITDSRAM application.\n\n\n\n                                                                                               12\n\x0c       7) Management should develop a "Security Authorization Package" for the ITDSRAM\napplication as outlined in NIST SP 800-37 and provide it to the System Owner, the AO, and the\nISSO to certify.\n\n      8) Management should document the certification of the "Security Authorization\nPackage" in an accreditation memo or in an annual Security Status Report.\n\nPOAM Review:\n\n   In FY 10, management had not formalized or implemented the GSS LAN POAM, and\nmanagement had not periodically notified program officials of the progress of the security issues\nidentified in the GSS LAN POAM. Although gaps remain, the agency has formally\nimplemented a POAM for the GSS LAN and has made improvements in this area. In FY 11,\nManagement began documenting the identified security weaknesses, and mapping those\nweaknesses to the source documents in a POAM. Management began documenting a scheduled\ncompletion date for each security weakness, assigning a remediation activity owner to each\nsecurity weakness, documenting resources and timeline requirements for security weaknesses,\nand documenting some remediation milestones. Management also began providing agency\nofficials with quarterly updates on the changes to the GSS LAN POAM. However, management\ndoes not consistently assign milestones and milestone dates to each security weakness or track\nchanges to related milestones and milestone dates. Management does not document the\nestimated resources or the source of the funding required to remediate the security weaknesses\nand timeline requirements consistently. Management also has not integrated the funding of the\nPOAM into the Capital Planning process.\n\n   In FY 11, the CPSRMS and ITDSRAM applications both utilized POAMs to document and\ntrack material security weaknesses. However, management had not included all of the OMB\nM04-25 required information in these POAMs. Management does not document milestone\ncompletion dates or changes to milestones and milestone completion dates in the CPSRMS\nPOAM. Management also has not integrated the funding of the POAM into the Capital Planning\nprocess. In addition, management does not consistently include the following required\ninformation for each CPSRMS security weakness: the estimated funding resources required to\nremediate the weakness, the remediation funding source, and key milestones. Also, the\ncontractors and program officials responsible for implementing the CPSRMS solution did not\nprovide an updated POAM for CPSRMS to the Chief Information Officer (CIO) on a quarterly\nbasis throughout FY 12, nor did they provide updates on the status of the CPSRMS POAM\nactivities to the CIO on a quarterly basis. The ITDSRAM POAM also does not contain all of the\nrequired OMB M04-25 required information. The ITDSRAM POAM does not document key\nmilestones and the estimated completion dates for each of these milestones or the source of the\nsecurity weakness (e.g., internal program reviews, IG audits, GAO reports etc). The contractors\nand program officials responsible for implementing the ITDSRAM solution did not consistently\nprovide an updated POAM for ITDSRAM to the CIO on a quarterly basis throughout FY 12, nor\ndid they consistently provide updates on the status of the ITDSRAM POAM activities on a\nquarterly basis. In addition, the CIO does not centrally track and maintain the status of\nITDSRAM POAM activities.\n\n\n\n                                                                                               13\n\x0c   Management does not adhere to the estimated completion dates for each of the weaknesses\nidentified in the agency POAMs. Although management did not document estimated completion\ndates for POAM milestones, they did consistently document an estimated completion date for the\nresolution of the security weakness related to the GSS LAN. However, the estimated completion\ndates documented in the GGS LAN POAM for 32 (64%) of the 50 open GSS LAN security\nweaknesses had passed. Additionally, in 22 (69%) of those 32 outstanding instances at least the\nestimated completion date is at least eight months overdue. Management also consistently\ndocumented the estimated completion dates for the security weaknesses documented in the\nCPSRMS POAM. However, the estimated completion dates documented in the CPSRMS\nPOAM for all 10 open CPSRMS security weaknesses have passed. The ITDSRAM POAM does\nnot consistently document the estimated completion dates for the known security weaknesses.\n\n   In FY 11, the agency had not performed an annual security control assessment for the GSS\nLAN and CPSRMS, as is required by NIST. Therefore, the agency did not document the\nsecurity risks and vulnerabilities that management may have uncovered because of these\nassessments in the POAM. However, management had an independent assessment performed of\nthe security controls for the GSS LAN and CPSRMS in FY 12 and documented the security\nweaknesses identified as a result of these assessments in the associated POAMs. Management\ndid not have an independent assessment of security controls performed for the ITDSRAM\napplication in FY 12. Therefore, the ITDSRAM POAM did not include the results of an\nindependent review.\n\nPOAM Recommendations:\n\n1) Management should update the C&A policy to include a requirement to review and approve the\npolicy on an annual basis, or develop an entity level policy which requires all IT security policies and\nprocedures to be reviewed and approved on an annual basis.\n\n2) Management should perform a review of the C&A policy to ensure it is current.\n\n3) Management should perform an assessment of the level of effort required for the remediation of\neach security weakness, and the results of that assessment should be reflected in the\nmilestone/milestone dates and "Estimated Completion Date" fields in the associated POAMs.\n\n4) Management should document the key milestones for all security weaknesses tracked on agency\nPOAMs.\n\n5) Management should document the dates associated with the key milestones for all security\nweaknesses tracked on the POAM.\n\n6) Management should document all changes to the milestones or milestone dates in the POAM.\n\n7) Security weaknesses documented in the POAM that are associated to investments identified in the\nIT Investment portfolio should include UIIs to allow agency officials to trace the security weakness\nto the budget documentation.\n\n8) Management should complete all POAM fields for all security weakness.\n\n\n                                                                                                     14\n\x0c9) Management should capture estimated completion dates, milestones, milestone dates, and changes\nto milestone dates along with the source of the identification of the security weakness in the\nITDSRAM POAM.\n\n10) Management should update the CPSRMS POAM, and maintain this information on the IT\nSecurity SharePoint.\n\n11) Management should provide updates to the CIO on ITDSRAM and CPSRMS POAM activities\non a quarterly basis.\n\nContinuous Monitoring Review:\n\n  Although management had an independent security control assessment of the GSS LAN\nperformed in FY 10 and documented the results in the SSP and SAR, management had not\napproved or implemented a Continuous Monitoring strategy. Additionally, documented policies\nand procedures for continuous monitoring did not exist. Therefore, in FY 11, management\napproved a Continuous Monitoring Plan developed by an outside vendor for the CPSC.\nManagement also had an outside vendor develop the Continuous Monitoring Plan for FY 12.\nHowever, management did not approve the plan until October 2, 2012.\n\n   Management has made substantial strides in implementing the Continuous Monitoring\nprogram outlined in the plan. For example, management presents monthly reports to the\nappropriate program officials outlining current threats and the results of many of the existing\ncontinuous monitoring activities. However, management has not fully implemented the\nContinuous Monitoring Plan. The plan references a Risk Executive (function) that does not\nexist. Management only updates its SSPs and SARs once per annum, and these documents do\nnot act as \xe2\x80\x9cliving documents\xe2\x80\x9d that management can use to represent the system\xe2\x80\x99s current security\nposture at any given moment. Management does not perform Security Impact Analyses (SIAs)\non all proposed and actual system changes and update the security documentation with the\nresults of these assessments. The outside vendor did not perform quarterly configuration\ncompliance audits throughout FY 12 and present the results of these audits to management for\napproval. Nor did the outside vendor develop and test a contingency plan for the CPSC as the\nContinuous Monitoring Plan requires.\n\n   In addition, management cannot develop all of the reports outlined in the Continuous\nMonitoring Plan and present them to appropriate program officials for periodic review.\nAlthough the CPSC Security Team has partially implemented a tool set to facilitate the\ncontinuous monitoring reporting, management has not yet optimized this tool set. As such, the\nagency does not adequately report its hardware and software inventory, fully report on\nconfiguration management compliance, or fully report on patch management compliance and\nsystem vulnerabilities. Moreover, management does not implement alerts and review logs to\nidentify unauthorized access and privilege changes as required by the plan.\n\n\n\n\n                                                                                                15\n\x0c   Moreover, management did not have an independent assessment performed on a subset of\nsecurity controls for the ITDSRAM application in FY 12. Therefore, management could not\nupdate the ITDSRAM SSP, SAR, and Risk Assessment, and notify the appropriate program\nofficials of the results of this assessment.\n\nContinuous Monitoring Recommendations:\n\n1) Management should implement the Risk Executive (function) and integrate that function into\nthe Continuous Monitoring Process.\n\n2) Develop and implement an OMB/NIST compliant Continuous Monitoring Policy and\nattendant procedures.\n\n3) Management should perform Security Impact Analyses (SIAs) on all actual or proposed\nsystem changes. Management should documents these results along with the results from all\nother continuous monitoring activities in the monthly Security Status Reports. Management\nshould also update the risk documentation accordingly.\n\n4) Management should develop and maintain a comprehensive Enterprise Architecture (EA) and\nmanagement should tie the approval of all system changes to their impact on the EA.\n\n5) Management should deploy a solution to report on the agency\xe2\x80\x99s current inventory of\nhardware and software.\n\n6) The periodic security status reports should include the results of the server configuration\nmanagement scans, patch management scans, and a summary of the current hardware and\nsoftware inventory.\n\n7) Management should ensure that quarterly configuration compliance audits are performed and\nthe results of these audits are presented to the ISSO. The results of these audits should be\nincluded in the Monthly Security Status Reports.\n\n8) 8) Management should develop and test a Contingency Plan in accordance with the\nrequirements outlined in NIST SP 800-34 as required by the CPSC\xe2\x80\x99s Continuous Monitoring\nPlan.\n\n9) Management should review logs and implement alerts to identify unauthorized access and\nprivilege changes. The results of these reviews should be included in the Monthly Security\nStatus Reports.\n\n10) Management should have an independent assessment performed on the ITDSRAM\napplication. Management should record the results of this assessment in a Security Assessment\nReport and present this report to the CIO for review.\n\n11) Management should draft an annual Security Status Report for the ITDSRAM application\nand present this report to the Authorizing Official and System Owner for certification.\n\n                                                                                                 16\n\x0cContingency Planning Review:\n\n   In FY 10 and FY 11, the agency had not formalized or tested a Business Impact Analysis\n(BIA), Business Continuity Plan (BCP), Disaster Recovery (DR) Plan or Information System\nContingency Plans (ISCP). The lack of a tested ISCP in addition to the other reasons outlined in\nthe Executive Summary, resulted in the GSS LAN losing its security certification in FY 11.\nTherefore, management documented an ISCP for the GSS LAN and CPSRMS application and\nperformed a tabletop test on this ISCP in FY 12. Management later added the continuity\nprocedures in the ISCP for ITDSRAM. According to management, the remediation task\nperformed has reduced the risk sufficiently to allow agency officials to accept the residual risk\nand recertify the GSS LAN. However, management has not yet retested the ISCP. In addition,\nmanagement did not perform a functional test of the ISCP as required by NIST SP 800-34.\nMoreover, management does not employ backup strategies to meet the Recovery Point\nObjectives (RPOs) documented in the ISCP.\n\n   In FY 10 and FY 11, no formal policies and procedures existed governing the contingency\nplanning process. However, management finalized a Contingency Planning Policy in March of\n2012 and updated it in September of 2012. Our review of the Contingency Planning Policy\nfound that it did not enumerate the test, training and exercise (TT&E) program requirements\nrequired of it by FCD1, and that management had not fully implemented the Contingency\nPlanning Policy. Additionally, the agency had not performed and documented a Business Impact\nAnalysis, developed or tested a Continuity of Operations Plan (COOP), Disaster Recovery (DR)\nPlan, Business Continuity Plan (BCP), or established an alternative processing site as is required\nby NIST SP 800-34 and NIST SP 800-53. Management expects to complete each of these tasks\non or before September 2013.\n\nContingency Planning Recommendations:\n\n1) Management should enhance its Contingency Planning Policy and procedures to address all\nNIST and OMB requirements. EXIT management should solicit input from each of the CPSC\ndepartments when developing these policies and procedures to ensure proper coverage.\n\n2) Management should train all apposite resources on the continuity planning responsibilities\nassigned to them in the policy.\n\n3) Management should perform, document and approve a formal Business Impact Analysis in\naccordance with NIST SP 800-34.\n\n4) Management should develop, test, and approve an agency COOP in accordance with NIST\nSP 800-34.\n\n5) Management should develop, test, and approve an agency DR Plan in accordance with NIST\nSP 800-34.\n\n6) Management should develop, test, and approve an agency BCP in accordance with NIST SP\n800-34.\n\n                                                                                                17\n\x0c7) Management should perform a functional test the CPSC ISCP in accordance with FEMA and\nNIST guidance.\n\n8) Management should implement a solution to allow management to meet the RPOs for all\ncritical agency systems.\n\n9) Management should draft after-action reports to document the \xe2\x80\x9clessons learned\xe2\x80\x9d that are\nidentified as part of the COOP, DR, and BCP plan testing.\n\n10) Management should establish an alternative processing site. This site should contain the\nequipment and supplies required to resume operations in time to support the organization-defined\ntime period for resumption.\n\nContractor Systems Review:\n\n   Management formalized a policy to govern the oversight of contractor systems on August 7,\n2012. Management also developed a comprehensive inventory of third party systems that\ninterconnect with agency systems in FY 11 and management updated this inventory in FY 12.\nThe CPSC utilizes Memorandums of Understanding (MOUs), Interconnect Security Agreements\n(ISAs) and Statements of Work (SOWs) to govern all inter-governmental IT relationships.\nHowever, in FY 12, the CPSC began to utilize a cloud-based Software as a Service (SaaS)\nsolution provided by a non-governmental contractor, and the agency\xe2\x80\x99s Contractor Security\nOversight policies and procedures do not outline the process by which management controls\nsuch cloud-based SaaS implementations. Also, management did not perform procedures to\nobtain assurance that the agency has implemented the user controls outlined in the GSA\'s\nSecurity Authorization Package for the cloud-based solution.\n\n   The CPSC interconnects with Department of Transportation (DOT) and Department of the\nInterior (DOI) systems. However, the CPSC, DOT, and DOI did not perform an annual update\nto these MOU/ISAs in FY 12 to ensure that the information contained within these documents is\nup-to-date. They should each review these agreements on an annual basis to ensure that the\nconnecting systems continue to provide adequate security to allow the interconnection. In\naddition, management has never established an information system connection or processing\nagreement with a contractor who has client machines connected to the agency network.\nManagement also did not verify the implementation of the security controls specified in the\nCPSC information security policies and security plan for this contractor.\n\n   Management has not fully implemented the Contractor Security Oversight Policy.\nManagement has not established processes and procedures to track the various interagency\nservice agreements and metrics applied throughout the lifecycle of the IT security services within\nthe organization. Management does not notify the contracted third parties of intrusions, attacks,\nor internal misuse, so the third party can take steps to determine whether its system has been\ncompromised. Management does not analyze audit logs (by an automated tool or manual\nreview) to detect and track unusual or suspicious activity across the interconnection that might\nindicate intrusions or internal misuse. Management does not utilize automated tools to scan for\n\n                                                                                               18\n\x0canomalies, unusual patterns, or known attack signatures and to alert administrators that the tools\ndetected a threat. The ISSO or delegate does not periodically review audit logs to detect patterns\nof suspicious activity that scanning tools might not recognize. EXIT does not coordinate\ncontingency planning, training, testing, and exercises with any third party contractors to\nminimize the impact of disasters. In addition, management has not established joint procedures\nwith the third parties based on existing contingency plans.\n\nContractor System Recommendations:\n\n1) Management should update the Contractor Oversight Policies and Procedures to include the\nprocess by which management controls cloud-based SaaS implementations.\n\n2) Management should establish processes and procedures to track various interagency service\nagreements and metrics that it applies throughout the lifecycle of the contracted IT security\nservices within the organization.\n\n3) Management should notify third parties of intrusions, attacks, or internal misuse, so the third\nparty can take steps to determine whether its system has been compromised.\n\n4) Management should include a requirement in each ISA compelling the connecting third\nparties to provide the CPSC with the known security weaknesses that might have an impact on\nthe CPSC\'s mission.\n\n5) Management should analyze audit logs to detect and track unusual or suspicious activity\nacross the interconnections that might indicate intrusions or internal misuse.\n\n6) Management should implement automated tools to scan for anomalies, unusual patterns, and\nknown attack signatures and management should configure these tools to alert administrators if a\nthreat is detected.\n\n7) The ISSO or delegate should periodically review audit logs to detect patterns of suspicious\nactivity that scanning tools might not recognize.\n\n8) Management should coordinate contingency planning, training, testing, and exercises with\nany third party contractors to minimize the impact of disasters.\n\n9) Management should establish joint procedures with the interconnecting third parties based on\nexisting contingency plans.\n\n10) Management should perform and document an assessment to ensure that agency resources\nhave adequately implemented the user controls outlined in the GSA\'s Security Authorization\nPackage for the cloud-based SaaS solution the CPSC utilizes.\n\n11) System owners and management should review and update the CPSC/DOI and CPSC/DOT\nMOU/ISAs on an annual basis. Once the System Owners provide the ISA/MOU to management,\nmanagement should review the agreement for appropriateness and certify it if it meets CPSC\n\n                                                                                                 19\n\x0csecurity standards. If the third parties with whom we are dealing fail to take the initiative in this\narea, CPSC management should initiate contact to ensure these agreements are current and\nactive.\n\n 12) Management should update the Contractor Security Oversight policies/procedures to\nexplicitly address what management must do to ensure the agency adequately addresses all\ndocumented user control considerations for each of the third party IT systems.\n\n13) Management should verify the implementation of required security controls on the identified\ncontractor system as specified in the organization\'s information security policy and security plan;\nor established an approved information system connection or processing agreements with the\norganizational entity hosting the external information system.\n\nSecurity Capital Planning Review:\n\n   In FY 11, management documented a process to govern the CPSC\xe2\x80\x99s Capital Planning, and\nInvestment (CPIC) process that generally meets the requirements set forth in NIST SP 800-65,\nIntegrating IT Security into the Capital Planning and Investment Control Process. However, as\nof the OIG review in FY 12, this process remains a work in progress, and management has not\nfully implemented this process. In addition, the policy and procedure documents do not meet all\nNIST SP 800-53 and OMB M 11-33 requirements. The procedures do not define how\nmanagement integrates security into the CPIC process, or how management plans and budgets\nfor on-going security costs, such as costs to perform the remediation activities outlined in the\nagency\xe2\x80\x99s POAMs.\n\n   The OIG contracted Withum Smith and Brown (WS&B) to perform an Information\nTechnology Investment Management (ITIM) assessment in August 2010 that included an audit\nof the CPIC process. At that time, WS&B reported that the agency\xe2\x80\x99s Investment Maturity Level\nwas at stage one of the ITIM framework and partially compliant with the stage two requirements.\nAlthough the OIG did not reassess the agency Investment Maturity this fiscal year, management\nconcedes this remains a work in progress and management has not implemented all of the CPIC\npolicies and procedures.\n\n   The agency uses contract services for a vast majority of its IT projects. The contractors, who\nare responsible for developing the systems, in conjunction with the CPSC Security Team, are\nalso responsible for implementing system security. Management has not recorded these costs as\ndistinct line items, and management cannot trace these costs back to the Capital Planning and\nInvestment documentation.\n\n   Additionally, the CPSC Investment Review Board (IRB) is responsible for prioritizing all\nfacets of agency IT investments, including IT Security investments, against the agency mission.\nThe consequent prioritization results in the decision to fund or withhold funding from a\nparticular project for the next fiscal period. Furthermore, to ensure that management adequately\nprioritizes security in IT investments, the Information System Security Officer (ISSO) is a voting\n\n\n\n\n                                                                                                   20\n\x0cmember of the weekly IT management prioritization meetings that management holds, in part, to\nprepare investment recommendations for the IRB. Moreover, the ISSO participates in the IRB in\na non-voting capacity.\n\n   Management has not assigned IT security a separate budget. Instead, management has funded\nsecurity on a project-by-project basis, and not separated the project security costs into discrete\nline items. Although management allocates funding for security to each project according to the\nproject components, management cannot trace these costs to the Capital Planning documents\nsent to OMB in the fall.\n\nSecurity Capital Planning Recommendations:\n\n1) Management should enhance and implement existing policies/procedures to ensure that the\ncosts associated with remediating security weaknesses are properly cross-referenced to the\ncapital planning materials sent to OMB in the fall. Management might accomplish this by\ncreating a separate IT security project and assigning all IT security costs, including the costs\nassociated with remediating existing security weaknesses, to this project. Once management has\nassigned the IT security costs to the IT security project, the details from the project should be\nincluded in the Exhibits sent to OMB in the fall. Additionally, management should enhance and\nimplement existing policies/procedures to require agency personnel to document the appropriate\ninvestment\'s Unique Investment Identifier (UII) in each POAM. This will facilitate traceability\nfrom the agency\'s POAMs to its capital planning documentation.\n\n2) Management should enhance and implement existing policies/procedures to require all\nPOAMs to reflect the estimated resource needs for correcting reported weaknesses and to specify\nwhether funds will come from a reallocation of base resources or a request for new funding.\nWhile the POAMs will not be used as agency funding requests by OMB, a brief rationale should\nbe provided when a request for new funding is contemplated.\n\n3) Management should create a separate cross-investment project for IT security. The IT\nsecurity project should include all staff, in the form of full time equivalents (FTEs), assigned to\nIT security functions and all cross-investment contractor IT security support costs for each of the\nagency\'s IT investments.\n\n4) Management should ensure that all relevant existing and future IT contracts include separate\nline items for security costs as the services and systems provided by contactors often include a\nsecurity component.\n\n5) Management should record the IT security costs documented in existing and future contracts\nacross all investments in the capital planning and investment documentation. This will allow\nmanagement to document both the in-house costs and the contractor costs and provide\ntraceability to the capital planning and investment documentation.\n\n6) Management should ensure that all project initiation requests include a line item for security.\nThis line item will allow management to tie the security costs associated with the individual\nprojects back to the investment and to the budgeting documentation.\n\n                                                                                                 21\n\x0c7) Management should document the Unique Investment Identifiers (UII) associated with each\nsecurity weakness in the agency POAMs and record the cost to remediate the weakness in the\nappropriate investment.\n\n2. Security Operational Controls\nPrior Finding: Security operational controls are used to assess the security of the system\nprocesses and the people who interact with or operate those systems. Because the CPSC\nmanagement had not implemented sufficient operational controls in the area of personnel\nsecurity, data integrity, and documentation, the CPSC management was not able to address\nsecurity procedures to focus on security mechanisms that affect the daily operation of the\nCommission. OMB Circular A-130, Appendix III requires that sufficient operational controls for\npersonnel security, data integrity, and documentation be in place. This condition may have been\ndue to the CPSC management not having the resources necessary to make implementation of\noperational controls a priority. The level of risk was rated "high" for personnel security and data\nintegrity.\n\nPrior Recommendation: CPSC Management should implement sufficient operational controls\nin the areas of personnel security, data integrity, and documentation in order to ensure efficient\nand effective management of the IT systems in support of the CPSC\'s mission.\n\nAction Taken: Significant progress has been made since 2001 to address this issue, even though\ngaps remain. As previously mentioned, the CPSC developed the Information System Security\nPlan (SSP) for the GSS LAN in 2002. Patriot, the contractor that developed the SSP, reported\nthat in order for the CPSC to adequately implement and maintain the requirements of the SSP, a\nstaff of three full-time personnel (information system security officer, network security engineer,\nand applications security engineer) would be needed. Qualifications for and responsibilities of\neach position were delineated in the 2003 SSP. The CPSC has since hired an information system\nsecurity officer and, in FY 11, provided him with one staff member to implement and maintain\nthe SSP requirements. Management is also in the process of hiring a second information system\nsecurity officer to oversee IT security. Management contracted out the remaining\nresponsibilities on an \xe2\x80\x9cas needed\xe2\x80\x9d basis. However, management continues to require additional\ninternal resources to adequately implement and maintain the SSP requirements.\n\n   In FY 2007, OMB mandated that agencies adopt security configurations for Windows XP and\nVISTA, as well as a policy for ensuring new acquisitions include common security\nconfigurations. (See OMB Memorandum M-07-11 "Implementation of Commonly Accepted\nSecurity Configurations for Windows Operating Systems," and OMB Memorandum M-07-18\n"Ensuring New Acquisitions Include Common Security Configurations,") The CPSC has since\nformalized a Configuration Management Policy to govern this process. However, management\nhad not fully implemented this policy, developed attendant procedures, or implemented\nconfiguration baselines for all agency hardware and software.\n\n\n\n\n                                                                                                22\n\x0c   The theory behind the requirement for agency wide security configuration policies is that\ncommon security configurations provide a baseline level of security, reduce risk from security\nthreats and vulnerabilities, and save time and resources. This allows agencies to improve system\nperformance, decrease operating costs, and ensure public confidence in the confidentiality,\nintegrity and availability of Government information.\n\nConfiguration Management Review:\n\n   As a result of the OIG\xe2\x80\x99s follow up on actions taken to remediate prior findings, as well as the\ntesting for the FY 10, FY 11 and FY 12 FISMA reviews, the OIG noted several improvements\nand new findings. Although the agency baselined Windows XP in FY 11, and implemented the\nUnited States Government Configuration Baseline (USGCB) [formally, the Federal Desktop\nCore Configuration (FDCC)] recommended configurations for Windows XP, management did\nnot properly document or implement baseline configurations for all other agency software or\nhardware components. In FY 12, management baselined Windows 7 and the version of IE8\nresiding on the Windows 7 clients. However, management has not baselined the versions of IE7\nand IE8 residing on the Windows XP clients. Management expects to decommission all\nWindows XP clients and to fully deploy Windows 7 no later than the first quarter of FY 13.\nTherefore, management does not intend to baseline this software.\n\n   Management also documented configuration baselines for the following software: Windows\n2008, SUSE Linux servers, MySQL, Netware, Oracle, SQLServer, Sybase, and VMWare in FY\n11. However, management has not reviewed or updated these baselines in FY 12. Management\ndid not include all of the required information in these baseline documents. For example,\nmanagement did not consistently document the current version of the software, the software\xe2\x80\x99s\npatch information, and the logical placement of the component within the system architecture.\nAdditionally, management has not documented baseline configurations for any other system\nhardware or software, including the Windows Server 2003, Microsoft Office, SharePoint Server\n2007, Checkpoint firewall, and Cisco IOS. Also important to note, management has not\nintegrated updates to the baseline configuration documents into the change management process.\nTherefore, management does not capture changes to systems and system environments occurring\nthroughout the year in the baseline document until the end of the year, at the earliest.\n\n   In FY 11, agency management began scanning agency clients for compliance with the\nrequired USGCB/FDCC settings. In FY 12, management began sharing a summary of these\nresults in a monthly security status report. In addition, in FY 12, management selected the\nDefense Information System Agency (DISA) settings, available in checklist form in the National\nVulnerability Database (NVD), to apply to agency systems to harden them. Management then\nbegan scanning agency software for compliance with these checklists. Although management\nhas not applied these settings to all agency systems, they have begun to apply them to the\nWindows and Linux servers. Also in September 2012, management began to perform non-\ncredentialed scans of the network to identify vulnerabilities. However, the agency has not\ndeveloped and implemented a process to remediate the non-compliances identified in the\nUSGCB/FDCC and DISA compliance scans or the vulnerabilities identified in the non-\ncredentialed scans. Management also does not share the results of the DISA scans and the non-\n\n\n\n                                                                                                23\n\x0ccredentialed scans with all of the appropriate agency officials to ensure they identify and\neliminate similar vulnerabilities in other information systems (i.e., systematic weaknesses).\n\n   Management has not developed and implemented Standard Operating Procedures (SOPs) for\nthe Configuration Management process. Management does not maintain a comprehensive\ninventory of hardware and software. Therefore, management does not have a comprehensive\ninventory of critical hardware and software requiring configuration baselines. Management has\nmade some progress in remediating this issue and partially implemented tools to assist the\nagency in their efforts to develop and maintain a comprehensive software/hardware inventory.\nHowever, management has not selected all of the tools required to allow them to develop and\nmaintain a comprehensive software/hardware inventory, and has not purged all known\nunauthorized software from the network. Furthermore, management did not adequately control\nlocal administrative access to clients throughout the entire year. This has increased the risk that\nusers may installed unknown and unsecured software on the agency\xe2\x80\x99s network. However, in FY\n12, management improved its controls over local administrator access to agency clients.\nManagement limited the number of users with local administrative access to their clients and\nimplemented a formal review of this access. With these improvements, management can ensure\nthe agency only grants access to users requiring this access for their job functions. Although this\nimprovement will not, in and of itself, remediate the issue, once management develops a\ncomprehensive software inventory and implements a whitelisting solution, the agency will have\nsubstantially better control over what software and hardware resides on its network. These\nimprovements will also assist the agency with its efforts to improve property accountability and\nsoftware license compliance. Management cannot achieve software license compliance without\nthese tools and controls in place.\n\n  As mentioned earlier, management does not adequately perform and document SIAs for each\nsystem change. The change control forms, which require completion prior to the change being\nimplemented, do not provide enough information to make an accurate determination of how\nsecurity will be affected as a result of the change. The resources who are performing and\ndocumenting the changes are not security experts. Because they are not experts, they are not\nqualified to complete the "How Security Affected" section in the change control form.\nTherefore, management cannot adequately perform an assessment to determine the security\nimpact to the operating environment and control framework. Additionally, the ISSO did not\napprove all changes prior to implementation in FY 12.\n\n   The agency formalized a Change Management policy and Configuration Management Policy\nin FY 11. However, management has not fully implemented these policies. The Change Control\nBoard does not approve all major configuration changes as required by the IT Change Control\nPolicy and Configuration Management Policy. Management does not audit activities associated\nwith system change control and management did not adequately document the testing procedures\nused to test all system changes. Therefore, system administrators may implement unauthorized\nor inadequately tested changes on the production network leaving the organization susceptible to\nunexpected system failures, as well as external and internal attacks.\n\n  The agency formalized a Patch Management policy in FY 11. However, management did not\nreview and update the Patch Management policy in FY 12. Management has not implemented\n\n                                                                                                24\n\x0can automated process to systematically identify flaws or vulnerabilities for all CPSC servers on a\nmonthly basis. Management also does not report server flaws and vulnerabilities in the Monthly\nSecurity Status Reports. However, although management has not begun performing patch\nmanagement scans on the agency\'s Linux servers, they began performing weekly patch\nmanagement scans of the Windows Server 2003 and Windows Server 2008 servers on\nSeptember 1, 2012.\n\n   Management has not implemented a process to require technical resources to identify and\nimplement critical server, database and widely used application patches in a timely manner.\nAlso, although management has implemented a process to patch agency clients in a timely\nmanner, the resources responsible for these tasks did not consistently implement client patches in\na timely manner. Management could not provided evidence that the agency tested server patches\nin accordance with NIST SP 800-53, SI-2 or the CPSC Patch Management Policy. Additionally,\nthe language management included in the change management forms indicates that management\ndeployed patches directly into production without being tested.\n\nConfiguration Management Recommendations:\n\n1) Management should develop and implement SOPs to standardize the implementation of the\nConfiguration Management process. The Configuration Management SOPs should include the\nfollowing:\n    a) Time frames in which the agency must remediate / accept identified baseline variances.\n    b) The process by which management documents and justifies baseline configurations\ndeviations (including USGCB/FDCC and DISA deviations)\n    c) The process by which agency resources coordinate and provide oversight for\nconfiguration change control activities. Agency resources must provide oversight for\nconfiguration change control activities through an organization-defined configuration change\ncontrol element (e.g., committee, board] that convenes based on an organization-defined\nfrequency and/or based on organization-defined configuration change conditions.\n    d) The process by which the agency reviews and updates the baseline configuration of each\nof the information systems. This process should include how frequently the agency reviews and\nupdates the baseline configurations. It should also include a list of agency-defined circumstances\nrequiring the update of the baselines. Additionally, it should outline how the agency updates the\nbaseline configurations as an integral part of information system component installations and\nupgrades.\n    e) The process by which management identifies and inventories hardware and software\nrequiring configuration baselines.\n    f) The process by which the agency identifies and justifies all systems and system\ncomponents not requiring baselines. Currently, the policy refers to all "information systems".\nHowever, management does not intend to baseline all information systems. Instead, the agency\nplans to determine the systems that require baselines and develop the configuration baselines\naccordingly.\n    g) What information management must include in each configuration baseline SOP (e.g.,\nconfiguration settings, patch level, Software Load and Version, system architecture, where the\nresource resides on the network, etc.).\n\n\n\n                                                                                               25\n\x0c2) The CPSC should develop an inventory of software and hardware requiring baselining, and\nthe process for developing this inventory should be documented in a procedure document. This\nshould be done with the assistance of the business owners. Business owners should identify\nMission Essential Functions and systems and provide this information to EXIT. EXIT should\nthen identify and inventory the software and hardware associated with these functions.\n\n3) The CPSC should establish and document mandatory configuration settings for information\ntechnology products employed within the information system. These configuration settings\nshould use defined security configuration checklists that reflect the most restrictive mode\nconsistent with operational requirements.\n\n4) Management should then implement the identified configuration settings.\n\n5) Management should identify, document, and approve exceptions from the mandatory\nconfiguration settings for individual components within the information system based on explicit\noperational requirements.\n\n6) Management should then monitor and control changes to the configuration settings in\naccordance with organizational policies and procedures.\n\n7) The agency should implement a solution to develop and maintain a current and\ncomprehensive software/hardware inventory. Management can install agents on all CPSC\nmachines to allow the agency to utilize Simple Network Management Protocol (SNMP) to\ndevelop a hardware inventory. However, this approach includes known security risks.\nTherefore, if management chooses to address this finding by implementing SNMP, management\nshould perform an assessment of the risks posed by SNMP.\n\n8) Management should purge the network of all unauthorized software.\n\n9) Management should implement a whitelisting tool that will systematically prevent\nunauthorized software from running on the network.\n\n10) Management should perform and document Security Impact Analyses for each system\nchanges that include a sufficient level of detail to allow the CPSC security team to make a\ndetermination of a system change\'s impact to the agency\'s control environment.\n\n11) Monthly security status reports, developed to describe the results of the ongoing continuous\nmonitoring activities performed by the agency, should include the results of the Security Impact\nAnalyses. At minimum, the security status reports should describe or summarize the results of\nthe SIAs, key changes to SSPs, SARs, and POA&M\xe2\x80\x99s, and the results of the scans described in\nthe Continuous Monitoring Plan.\n\n12) Management should develop a comprehensive Enterprise Architecture and management\nshould tie all system changes to the EA.\n\n\n\n\n                                                                                              26\n\x0c13) All USGCB/FDCC variances, along with a plan for remediation, should be documented and\nany known residual risk accepted.\n\n14) Management should actively maintain and update all baseline configuration documents.\nManagement should update baseline configuration documents anytime a change is implemented\nthat has an impact on the baseline configurations.\n\n15) Management should develop a process to remediate non-compliances to the baseline\nconfigurations identified as part of monthly scans, and document that process in an SOP.\n   a). Management should include a requirement to document a remediation plan for all non-\ncompliances identified as part of the monthly configuration management scans in the\nConfiguration Management Policy (or related SOPs).\n   b). Management should document required timeframes for the remediation of non-\ncompliances identified as part of the monthly configuration management scans in the\nConfiguration Management Policy (or related SOPs).\n\n16) Management should implement the process outlined in recommendation 15, and ensure that\nthe agency remediates configuration baseline non-compliances in a timely manner.\n\n17) Management should also implement and document controls to mitigate the risk posed by the\naccepted variances to the configuration baselines.\n\n18) Management should include a summary of the results of the DISA configuration compliance\nscans in the monthly Security Status Reports.\n\n19) Management should include a summary of the results of the non-credentialed vulnerability\nscans in the monthly Security Status Reports.\n\n20) Management should provide detailed results from configuration management and\nvulnerability scans to each of the branch chiefs to allow for the identification of systematic\nweaknesses/deficiencies.\n\n21) A Change Control Board should approve all major configuration changes.\n\n22) Management should update the baseline configuration documents, as appropriate, to reflect\nany changes resulting from the configuration changes and patches.\n\n23) Management should audit production changes periodically to validate the agency has\nadequately tested, documented and approved them.\n\n24) The ISSO or delegate should approve all system changes.\n\n25) Management should provide training to resources responsible for implementing system and\nconfiguration changes. Management should train these resources on the CPSC change\nmanagement procedures, and what information management requires when documenting a\nconfiguration change in a change management form.\n\n                                                                                                 27\n\x0c26) Assign a resource to act as a backup to the resource responsible for the patch management\nprocess to ensure management applies patches in a timely manner.\n\n27) Management should follow the processes outlined in the Patch Management Policy to\nensure timely testing and application of all server patches.\n\n28) Management should implement an automated process to systematically identify flaws and\nimplement patches for all CPSC servers.\n\n29) Management should implement server, database, and widely used application patches in a\ntimely manner and in accordance with the patch management policy.\n\n30) Management should test all server, database, and application patches in a test environment\nprior to deploying the patch to production.\n\n31) Management should document all server, database, and application patches in the change\nmanagement database and document the process used to test these patches.\n\n32) Management should add separate queries to the change management database to allow users\nto search on server, database, and application patches.\n\n33) Audits should be performed to identify all missing patches and the results of these audits\nshould be included in Continuous Monitoring reports provided to OMB. Management should\nthen implement these patches. If the agency decides not to implement the missing patch,\nmanagement should document a formal justification.\n\n34) Management should improve the process for managing the IT software requests.\nManagement should implement an automated tool (such as SharePoint) that houses all of the IT\nsoftware request information and software licensing information. Management should use this\ntool to obtain and document software requests. Management should also use this tool to\nsystematically require approval by the appropriate resources prior to closing / completing the\nnew software request.\n\n35) Management should develop and enforce a process to govern software license compliance:\n    a) Management should document and maintain a comprehensive software inventory.\n    b) Management should document the number of instances of each type of software installed\non the network.\n    c) Management should document and inventory all software licenses owned by the agency.\n    d) Management should reconcile the software instances installed on the network to the\nsoftware licenses owned by the CPSC and remediate any discrepancies.\n    e) Management should perform periodic audits to ensure compliance.\n\n\n\n\n                                                                                                 28\n\x0cIncident Response and Reporting review:\n\n  The agency developed and formalized an Incident Response Policy on August 20, 2011 and\nmanagement reviewed and updated this policy on August 6, 2012. Additionally, management\ndeveloped an Incident Reporting database, to track incident reports, and this tool resides on the\nIT Security SharePoint site. Management also maintains the existing Incident Response policy,\nprocedures, and plan in the IT Security SharePoint site. However, management has not finalized\nthe procedures or fully implemented the policy.\n\n   Management has assigned resources to a Computer Security Incident Response Team\n(CSIRT). However, management has not trained these resources on their incident reporting\nresponsibilities, and these resources are not performing the tasks outlined in the policy and\nprocedures. Until this process is established and operational, management cannot adequately\nperform a comprehensive analysis of, validate, and document all security incidents.\n\n   Currently, the CPSC security team documents and tracks all security incidents of which they\nare notified in the Incident Response Database. The documented security incidents include the\ndate the incident began, a description of the incident, the priority of the incident, comments from\nincident handlers, the status of incident, and the next steps taken. However, the OIG could not\nattest to the timeliness of the security team\'s response to and resolution of security incidents\nbecause management did not include enough detail in the incident documentation. The incident\nreports do not include the time and date of security team notification, and the incident response\npolicies, procedures and plan do not outline performance metrics, such as response times, days to\nresolve, and out of tolerance indicators. Therefore, the OIG could not assess if the security team\nresponded to and resolved incidents in a timely manner. However, the OIG found several\ndocumented security incidents that remained active and unresolved despite management having\nopened them between 2 and 20 months ago.\n\n  The agency drafted Forensic Incident Response procedures and an SOP that outlines law\nenforcement notification requirements in FY 12. However, management does not intend to\nimplement these procedures until FY 13. Additionally, management did not notify United States\nComputer Response Readiness Team (US-CERT) in accordance with the timeframes outlined in\nthe Incident Response Policy and in the Federal Guidelines for the documented incidents.\n\n   Additionally, management implemented several solutions since FY 11 to improve its ability to\nmonitor for incidents. Management partially implemented the Trusted Internet Connection (TIC)\nin July of 2012 and a log management solution in FY 11. The TIC consolidates external network\nconnections across the Federal government. The TIC also allows for the central monitoring of\nnetwork traffic for malicious activity, across the government. A monitoring tool called Einstein\n2 that management implemented in conjunction with the TIC facilitates this. The Einstein 2\nsolution monitors for specific predefined signatures of known malicious activity at the\nagencies Internet connections. Einstein 2 alerts US-CERT directly when it detects specific\nmalicious network activity matching predetermined signatures allowing the CPSC to utilize US-\nCERT expertise and resources.\n\n\n\n\n                                                                                                29\n\x0c   Management implemented and configured a log management solution to notify system\nadministrators of a list of predefined security events identified by other network monitoring\nsolutions. Management has not yet fully optimized the log management solution, although\nmanagement has made significant progress in this effort. For example, the log management\nsolution now notifies management of the occurrence of predefined events across eight different\nmonitoring tools. However, management has not implemented a solution to monitor for actions\nconstituting internal threats or to identify unauthorized activity by inspecting outbound network\ntraffic (extrusion detection). Although management maintains VPN and Firewall logs,\nmanagement does not actively monitor these logs due to a lack of resources to perform these\ntasks. The log management solution is capable of such monitoring. However, at this time\nmanagement has not configured the log management solution to alert management on predefined\nVPN traffic activities, and the only firewall activity the log management solution reports on are\nchanges to firewall policies.\n\nIncident Response and Reporting Recommendations:\n\n1) Management should define performance metrics, such as response times, days to resolve, and\nout of tolerance indicators, in the policies and procedures based on best practices and industry\nstandards and adjust them once the incident response process evolves.\n\n2) Management should fully implement the Incident Response policy and procedures.\n\n3) Management should train the CSIRT members on the responsibilities assigned to each of\nthem and implement the CSIRT in accordance with the Incident Response Plan.\n\n4) Management should implement and configure an extrusion detection solution to alert\nadministrators of potential internal treats.\n\n5) Management should implement a solution and configure it to alert management in the event\nof an organization defined list of VPN or firewall events, such as suspicious outbound traffic, or\nsuspicious activity on an unusual port. This will allow for a meaningful analysis of both internal\nand external network activity. Alternatively, management should formally perform a manual\nreview the VPN/firewall logs to identify suspicious activity and correlate these events.\n\n6) Management should notify US-CERT and law enforcement of security incidents within the\nfederally and organizationally prescribed timeframes.\n\n7) Management should report all security incidents to the ISSO immediately upon discovery,\nand the ISSO should track these incidents in the Incident Response Database. Incidents tracked\nshould include relevant alerts from monitoring tools, as well as VPN and Firewall alerts (based\non an organization-defined set of criteria).\n\n8) Management should not only date-stamp but also time-stamp all actions taken to address\nsecurity issues in the incident response reports.\n\n\n\n\n                                                                                                30\n\x0c9) Management should document the time and date the security team/CSIRT is first notified of\nthe incident in the SharePoint tool used to monitor the incidents.\n\nSecurity Training:\n\n   Only one element is missing from the CPSC\xe2\x80\x99s Security Awareness and Training policies and\nprocedures. The Security Awareness and Training policies do not include the requirement for\nthe agency to provide security training based on the 25 user groups outlined in NIST SP 800-16.\nThe agency does not provide role-based training to its resources. Instead of developing\nindividualized security training for each of the 25 specific user groups outlined in NIST SP 800-\n16, the agency provides one training course for all CPSC personnel, and provides additional\ntraining courses for personnel within the IT department with significant information security\nresponsibilities. However, although management customizes the training courses it provides to\nthe IT security personnel to provide more relevant and current information, management did not\nprovide training to address IT security from a System Development Lifecycle (SDLC)\nperspective as required by NIST SP 800-16.\n\n   Management\xe2\x80\x99s increased efforts to ensure CPSC personnel complete the agency provided\nsecurity awareness training have resulted in substantial improvements. In FY 12, management\nimplemented a zero tolerance approach for addressing personnel who did not complete their\nannual security awareness training. Management now revokes access to any user who does not\ncomplete the CPSC provided security awareness training course within the provided timeframes.\nImplementing this approach has increased security awareness training participation from 67.5%\nin FY 11 to 96% in FY 12.\n\nSecurity Training Recommendations:\n\n1) The agency should develop a NIST SP 800-16 compliant training program.\n    a) The Security Awareness and Training policies and procedures should require management\nto provide each NIST SP 800-16 "user group" defined within the agency security training\nprogram, role based training specifically developed for their group.\n    b) The training criteria, if not the content, for each user group should be outlined in the\npolicy. For details on the required training criteria, please see NIST SP 800-16, pages 98 - 154;\nNIST SP 800-16, appendix E; and summaries in NIST SP 800-50, pages 25-27.\n\n2) Agency management should assign all agency resources to one of the 25 user groups\ndocumented in NIST SP 800-16.\n\n3) Once assigned to a NIST SP 800-16 defined user group, agency management should then\nselect appropriate training courses and provide security training to those agency resources\ncommensurate with their user groups. The DHS Information System Security Line of Business\n(ISSLOB) has been working with agencies to develop a standardized curriculum and to select\ninformation security Shared Service Centers (SSC). The ISSLOB SSC\'s provide an efficient and\ncost-effective solution for agencies to procure general information security training for\nemployees and contractors. For more information on this program, contact the ISSLOB program\nmanagement office at isslob@dhs.gov.\n\n                                                                                               31\n\x0c3. Security Technical Controls\n\nPrior Finding: Security technical controls are specific to the system\'s ability to identify, track,\nand act on authorized or unauthorized usage. Because the CPSC management had not\nimplemented sufficient technical controls in the areas of identification and authentication, logical\naccess, and audit trails, the CPSC management had left sensitive information vulnerable. This\ncondition appears to have been due to the CPSC management not having the resources necessary\nto make implementation of sufficient technical controls a priority. The level of risk was rated\nhigh for identification and authentication, and logical access.\n\nPrior Recommendation: The CPSC management should implement sufficient technical\ncontrols in the areas of identification and authentication, logical access, and audit trails in order\nto protect the information that is used to support the mission of the Commission.\n\nAction Taken: The effectiveness of six of the CPSC\'s systems, and the underlying elements of\neach, were tested during the FY 2001 audit. Weaknesses identified in controls related to these\nsystems contributed to the overall condition of the CPSC\'s information security program. As\nreported in the management response to the original audit, the CPSC requested funding in Fiscal\nyears 1999 through 2002 without success to establish a capital budget for information\ntechnology. The need for such funds was also included, unsuccessfully, in the CPSC\'s FY 03\nand 04 budget requests. Budget requests cited the need for new investments to protect the\ncurrent operating capability and efficiency of information technology. According to the Budget\nOfficer, in the absence of a capital budget for information technology, the CPSC has applied\nsome savings from operating funds to this area. In FY 02, the CPSC committed over $500,000\nfrom one-time salary savings to this area to develop an SSP, address data system weaknesses,\nenhanced firewall intrusion detection capabilities, and other operating and system application\nenhancements. In FY 03, the total CPSC Information Technology commitment was $714,891 in\nthe form of salaries and other expenses. In FY 04, the CPSC committed $715,000 for its\nInformation Technology programs. In FY 05, this figure rose to $1,035,100. In FY 06, the\nCPSC spent $2,082,050 on its IT programs. In FY 07, the CPSC committed $6,300,000 to its IT\nprogram. In FY 08, the CPSC\'s commitment rose to 30 FTEs and $13,000,000. In FY 09, the\nCPSC\xe2\x80\x99s commitment rose to 31.1 FTEs and $19,832,939. In FY 10, the CPSC\xe2\x80\x99s commitment\nrose again to $26,492,137. However, in FY 10 the FTEs fell to 30.9. In FY 11, the CPSC\xe2\x80\x99s\ncommitment fell to $23,617,310. However, FTEs increased from 30.9 in FY 10 to 36.6 in FY\n11. In FY 12, the CPSC\xe2\x80\x99s expenditures committed to IT services fell again to $21,617,065 and\nFTEs decreased to 36.4. Work on implementing the recommendations contained in the SSPs and\nmore recent guidance continues.\n\n   The CPSC acknowledges its need for continued improvement. Over the past few years, the\nCPSC has met the following goals in its effort to improve its security technical controls:\nimplementing a security awareness training program, implementing solutions to perform\nautomated system auditing, implementing the monitoring of Internet usage, implementing an\nIntrusion Prevention System, implementing multi-factor authentication for most agency\nresources, implementing a solution to restrict access to client USB ports by non-encrypted flash\ndrives, implementing periodic reviews of user with elevated network privileges, and\nimplementing a tool which allows the agency to inventory all network user accounts.\n\n                                                                                                    32\n\x0cRemote Access Management review:\n\n   Management developed and formalized policies for authorizing, monitoring, and controlling\nremote access in FY 11, and management updated and recertified these policies in FY 12.\nHowever, the Remote Access Management policies do not include several key elements. The\nRemote Access Management policy does not include a list of security functions and security-\nrelated information that users can access remotely or the additional controls management has\nimplemented to ensure these users do not misuse this access. Additionally, management has not\ndefined the networking protocols the agency has deemed non-secure within the\npolicies/procedures.\n\n   Although management has developed Teleworking and Remote Access procedures, these\nprocedures do not address several operational topics. The procedures do not provide for checking\nfor upgrades and patches to the remote access software components, and acquiring, testing, and\ndeploying those updates. The procedures do not address reconfiguring access control features as\nneeded based on factors such as: policy changes, technology changes, audit findings, and new\nsecurity needs. Moreover, the procedures do not address detecting and documenting anomalies\nidentified within the remote access infrastructure. Such anomalies might indicate malicious\nactivity or deviations from policy and procedures. These anomalies should be reported to other\nsystems\xe2\x80\x99 administrators as appropriate. Furthermore, procedures in place for monitoring remote\naccess are inadequate. Management has not implemented controls, such as ingress filtering,\negress filtering, deep packet reviews, non-repudiation controls, or VPN and firewall logs\nreviews, to detect and prevent the subversion of authorized connections. Management has\nattributed this to current system limitations making the active monitoring of these logs\nimpractical and to an overall lack of resources.\n\n   Additionally, management has not fully implemented the remote access policies and\nprocedures. The Remote Access Policy states that remote sessions time-out after 30 minutes of\ninactivity. However, management has configured these sessions to time-out after 90 minutes of\ninactivity. The agency is aware of this and has decided to accept the risk associated with the 90-\nminute session lock-out. Management also does not monitor or review VPN and firewall logs as\nis required by the Remote Access policy. The agency also has a policy, which requires users to\nencrypt all sensitive information prior to transmitting the information outside of the internal\nnetwork. However, although the agency has implemented a tool to facilitate compliance with\nthis requirement in FY 12, management has not configured the CPSC email solution to\nsystematically encrypt emails prior to transmission across a public network. Also, management\ndoes not perform audits to ensure all sensitive emails and attachments transmitted across a public\nnetwork utilize the encryption tool appropriately. Therefore, although the process has improved\nwith the implementation of the encryption tool, an extremely high likelihood remains that users\nsend unencrypted, sensitive files over Public networks.\n\n  Management does not require all users to use multi-factor authentication to access the\nnetwork. Although management has not fully satisfied the NIST SP 800-46 and OMB M07-16\nrequirements, management has made substantial progress toward that goal and only a limited\nnumber of users remain who can access the network without the use of their Personal\nIdentification Verification (PIV) Card. Management does not uniquely identify and authenticate\n\n                                                                                               33\n\x0cusers accessing the network. Management has not implemented a formal process to control the\nestablishment and maintenance of common E-Directory and Active Directory (AD) accounts.\nAdditionally, management does not change account credentials when users separate from the\nagency or change job functions. Moreover, the Network Engineering and Computer Support\nTeams use generic administrator IDs to perform support functions. Agency resources that have\nadministrative rights access the GSS remotely using administrator accounts. Furthermore,\nmanagement does not monitor the tasks performed by the administrators while using these IDs.\n\n  Management does not properly document and report lost or stolen laptops/blackberries.\nManagement did not document all of the laptops and blackberries lost in FY 12 in the Incident\nReporting database. Management also did not report all of these lost devices to US-CERT. In\naddition, management does not document the time the user reports the lost/stolen device.\nTherefore, management cannot document the timeliness of its notification to US-CERT for these\ntypes of events.\n\nRemote Access Management Recommendations:\n\n1) Management should document and implement the following processes in a procedure\ndocument:\n    a) A list of the security functions and security-related information that users can access\nremotely and the additional controls in place to ensure these functions are not misused. In\naddition, management should implement and document specific audit procedures to ensure these\ncontrols are in place and effective.\n    b) An inventory of networking protocols management deems non-secure and a requirement\nto restrict access to these protocols.\n    c) The process by which management checks for upgrades and patches to the remote access\nsoftware components, and acquiring, testing, and deploying the updates.\n    d) The process by which management reconfigures access control features based on factors\nsuch as policy changes, technology changes, audit findings, and new security needs.\n    e) The process by which management detects and documents anomalies within the remote\naccess infrastructure. Such anomalies might indicate malicious activity or deviations from policy\nand procedures. Anomalies should be reported to other systems\xe2\x80\x99 administrators as appropriate\n\n2) The agency should follow the documented Remote Access Policy and the NIST mandated 30\nminute lock-out requirement for remote sessions.\n\n3) Management should implement a solution to systematically require the encryption of all\nsensitive information transmitted across a public network. Or periodically audit emails and\nattachments traversing a public network to ensure policy compliance. Or implement a data loss\nprevention (DLP) solution.\n\n4) Management should implement the CSIRT Team and assign them the task of documenting\nand remediating the risks associated with missing and stolen laptops and blackberries.\n\n5) Management should systematically require multi-factor authentication for all users accessing\nthe CPSC network.\n\n                                                                                               34\n\x0c6) Management should implement a formal process to approve the creation of new common user\naccounts.\n\n7) Management should implement a formal process to establish membership in the common\nagency accounts.\n\n8) Management should implement a formal process to disable common user accounts once no\nlonger required.\n\n9) Management should implement a formal process to change the common user account\'s\ncredentials once a member separates from the agency or changes job functions and no longer\nrequires access to the account.\n\n10) Management should grant administrators local administrative accounts to each CPSC server\nindividually, instead of using the global system administrator accounts. Management should\ncheck-in/check-out the passwords to the global system administrator accounts only when this\naccess is required.\n\n11) Management should implement a formal process to require management to change the\ncredentials on shared administrator accounts whenever a user with knowledge of these\ncredentials separates from the CPSC or changes job functions.\n\n12) Management should actively monitor remote user access and implement controls to detect\nand prevent the subversion of authorized network connections. Management may achieve this\nby the implementation of procedures and tools to facilitate ingress filtering, egress filtering, deep\npacket reviews, and VPN and firewall log reviews. Additionally, management should report the\nresults of these analyses and all other appropriate parties.\n\nIdentity and Access Management review:\n\n   The agency formalized the General Access Control policy on August 10, 2011 and recertified\nthe policy with updates on September 10, 2012. However, the procedures outlined in the\nGeneral Access Control policy did not include several key elements. These procedures did not\ninclude: the process by which management establishes and controls common/shared network\naccounts; the process by which management establishes and controls temporary, emergency, and\nguest accounts; the process by which management establishes and controls system accounts; and\naccount modification procedures. Management did not reference the individual system access\ncontrol SOPs for the agency\xe2\x80\x99s major applications in the General Access Policy. Management\nalso has not finalized an Access Control Policy and attendant procedures for CPSRMS.\n\n   Although management formalized the General Access Control Policy, management has not\nfully implemented the policy. The General Access Control Policy requires that agency\nmanagement audit all users with access to the CPSC systems and confirm the accuracy of the\ngroup access settings. Management is also required to submit the results of these audits to the\nISSO for record and maintenance purposes. However, management does not perform this audit.\n\n                                                                                                  35\n\x0cAlso, although management began performing periodic user access reviews on a semi-annual\nbasis in FY 12 for many agency systems, management did not perform a periodic user access\nreview for the CPSRMS application in FY 12.\n\n   The CPSC GSS does not uniquely identify and authenticate network devices before\nestablishing a connection to the CPSC GSS. The agency is in the process of implementing a\nsolution that it expects to remediate this issue. Management hopes to implement this solution in\nFY 13.\n\n  Management does not require all CPSC users to access the network using multifactor\nauthentication. However, management has made significant progress in implementing this\nrequirement. Management has configured all Window 7 clients to require multifactor\nauthentication and management plans to migrate all agency users to Windows 7 by the first\nquarter of FY 13. Once management completes the Windows 7 migration, network\nadministrators will be the only users able to access the network without multifactor\nauthentication. Management has decided to accept the risk associated with this vulnerability.\n\n   The agency has not implemented the Principle of Least Privilege and proper separation of\nduties for the GSS LAN. The agency does not have the ability to report on users with access to\nspecific security functions within AD or E-Directory. Because the agency has not implemented\na solution that will allow them to develop reports with this level of granularity management\ncannot apply the Principle of Least Privilege. Management has only configured two types of\nnetwork accounts: typical user accounts (with no access to any security function) and\nadministrator accounts (with access to all security functions). If a user has administrator access,\nthey can perform all security functions even if their specific job function does not require this\nability. Additionally, administrators have sufficient access to perform system administration and\naccess and alter the audit logs. In addition, users with administrative rights have the ability to\naccess the GSS remotely using their administrator accounts. Management does not require\nseparate accounts for these users to telework or perform non-administrative tasks. In addition,\nthe agency has not implemented the Principle of Least Privilege for CPSRMS. All CPS360 (a\nmodule within CPSRMS) users can view all incident reports, even those that management has\nnot approved for Public consumption, whether or not their job function requires access to these\ndata views.\n\n   Management began performing weekly staffing report reviews in FY 12 to ensure that the\nagency revoked separating employee\xe2\x80\x99s access to the network in a timely manner. However,\nmanagement does not perform this reconciliation for all agency systems. The OIG also noted\nthat, even with the improvement to the process, management does not consistently disable access\nto the agency network or other information systems immediately upon employee and contractor\nseparation. The OIG identified separated employees and contractors whom management had not\nrevoked from agency information systems as of September 30, 2012. In addition, management\ndoes not record the time and date it disables user accounts, and cannot provide evidence of the\ntimeliness of these revocations.\n\n  The OIG also noted management has not implemented an effective process for tracking and\ninventorying CPSC contractors. The contractor inventory and separation reports contain\n\n                                                                                                36\n\x0cinaccuracies. Active contractors appear on the contractor separation reports, and do not appear\nin the contractor inventory reports. The contractor inventory process is a manual process that\nrequires coordination between EXRM, EXIT, and agency Contracting Officer\xe2\x80\x99s Technical\nRepresentatives (COTRs). Management has not developed and does not actively maintain a\ncentralized contractor database to track contractor on-boarding and off-boarding. This, in\naddition to the lack of process standardization, has limited management\xe2\x80\x99s ability to revoke the\ninformation system access for separating contractors in a timely manner.\n\n  Management implemented a process to perform semi-annual reviews of major application user\naccounts in FY 12, although management did not perform this review for CPSRMS.\nManagement also implemented a process to perform a semi-annual review of common user\naccounts with elevated privileges in FY 12 and eliminated unnecessary common accounts.\nHowever, management has not defined a formal process to establish and further control\nshared/common user accounts. Management does not change credentials related to\ncommon/shared accounts once resources separate from the agency or change job functions.\nAdditionally, and compounding this risk, is management\xe2\x80\x99s use of generic administrator IDs.\n\nIdentity and Access Management Recommendations:\n\n1) Management should update the General Access Control policy to include roles and\nresponsibilities and to document how management coordinates access control tasks between the\nCPSC branches.\n\n2) Management should include the following elements in the General Access Control Policy and\nprocedure documents:\n    a) The process by which management establishes and controls common network accounts.\nThis should include how management authorizes and monitors common/anonymous accounts.\n    b) The process by which management establishes and controls temporary, emergency and\nguest accounts. This should include guidance on how management authorizes and monitors\nguest/temporary accounts. The procedures should define process for notifying account managers\nwhen temporary accounts are no longer required. The procedures should also include a\nrequirement to deactivate temporary accounts that management no longer requires access to\nthem.\n    c) The process by which the agency establishes and controls system accounts.\n    d). The specific procedures for the establishment and modification of user accounts,\nincluding a requirement for all new administrators to follow the formal user access request\nprocess.\n    e). The General Access Policy should reference the individual system access control SOPs.\n\n3). Management should draft, approve, and implement NIST compliant Access Control policies\nand procedures for CPSRMS.\n\n4). Program managers should perform periodic user access audits to ensure that user privileges\nfor all CPSC systems are and remain appropriate. They should then report these results to the\nISSO for record and maintenance purposes.\n\n\n\n                                                                                                 37\n\x0c5). Management should ensure the distribution of Access Control policies and procedures to all\nresources with significant access control roles and responsibilities.\n\n6). Management should create separate non-administrative user accounts for administrators, and\nrequire administrators to use these accounts when performing tasks that do not require\nadministrative privileges.\n\n7). Management should implement a solution that uniquely identifies and authenticates devices\nprior to establishing a connection to the CPSC GSS.\n\n8). Management should systematically require all users accessing the CPSC network to utilize\nmulti-factor authentication.\n\n9). Management should restrict access to the non-public data housed in CPSRMS only to users\nwith a business need for this access.\n\n10). Management should implement the Principle of Least Privilege for the GSS LAN.\n    a). The agency should define and document the functions/duties which have a significant\nimpact on agency operations and assets (e.g., create users accounts, modify firewall rules,\nmodify antivirus settings, reset passwords, modify DHCP, etc.)\n    b). The agency should revoke access to all users who have but do not require access to the\nfunctions defined above.\n    c). The agency should review the logs of all admin/super user accounts and restrict this\naccess if these levels of privilege are not specifically necessary to perform required job\nfunctions.\n    d). The agency should document the system controls in place (e.g., blocked ports, restricted\nprotocols, etc.).\n    e). The agency should document the specific access controls in place for\nproviding/controlling access required for the duties, functions and system restrictions described\nabove. Documentation can be in the form of access control policies (e.g., identity-based policies,\nrole-based policies, attribute-based policies, etc.).\n    f). Management should require administrators to utilize a non-administrative user account to\nperform tasks which do not necessitate the use an administrator account.\n\n11). Management should implement a solution that allows the agency to report on the specific\nprivileges assigned to each AD and E-Directory user account. These reports should be granular\nenough to report on which security function management assigns to each user account.\nManagement should perform periodic audits of these reports to ensure access remains\nappropriate.\n\n12). Management should limit administrator\'s access to update audit logs and implement a\nsolution to monitor changes to the audit logs and notify the CSIRT team in the event of an audit\nlog modification.\n\n12). Management should implement a solution to actively monitor tasks performed by resources\nwith approved conflicting duties.\n\n                                                                                               38\n\x0c13). Management should implement a process to establish and control the use of shared user\naccounts.\n    a). Management should implement a formal process to approve the creation of new common\nuser accounts.\n    b). Management should implement a formal process to disable common user accounts once\nno longer required.\n    c). Management should implement a formal process to establish membership in the common\nagency accounts.\n    d). Management should implement a formal process to change the common user account\'s\ncredentials once a member separates from the agency or changes job functions and no longer\nrequires access to the account.\n    e). Management should grant administrators local administrative accounts to each CPSC\nserver individually, instead of using the system administrator accounts. Management should\ncheck-in/check-out the passwords to the global system administrator accounts only when this\naccess is required.\n    f). Management should implement a formal process to require management to change the\ncredentials on shared administrator accounts whenever a user with knowledge of these\ncredentials separates from the CPSC or changes job functions.\n    g). Management should require periodic password changes on all common accounts.\n\n14). Management should revoke the separated user\'s access to E-Directory, AD and CPSRMS.\n\n15). Management should implement a solution to systematically disable users from all agency\ninformation systems after 30 days of inactivity.\n\n16). Management should implement a centralized contractor database to track the on and off-\nboarding of contractors.\n\n17). Management should draft and implement an SOP that clearly defines the roles and\nresponsibilities for all resources responsible for processing contractor separations. The SOP\nshould also include guidance for how these departments coordinate with each other to perform\ntheir respective tasks.\n\n18). Management should train the COTRs, EXRM, and EXIT resources responsible for\nprocessing contractor separations on their respective contractor separation responsibilities.\n\n19). EXRM should provide the EXIT representatives and program officials responsible for\nprocessing contractor separations with a weekly report of contractor separations. Management\nshould formally reconcile the current separations, as indicated on the weekly EXRM contractor\nseparation report, to all the CPSC IT system ACLs to ensure the timely revocation of all user\naccounts.\n\n20). Management should periodically review all AD, E-Directory, and major application user\naccounts to ensure that access remains appropriate.\n\n\n\n                                                                                                39\n\x0c                          MANAGEMENT SUMMARIZED RESPONSE\n\n   After having been given an opportunity to review a draft copy of the report, and having\nalready had ample opportunity to review the individual findings that comprise the report,\nmanagement concurred with the findings and recommendations.\n\n   Management elected to not provide a formal written response, other than preparing a\ntransmittal letter, bearing the signature of the head of the agency, to be used by them to forward\nthis report to the Office of Management and Budget which stated, \xe2\x80\x9cI have reviewed the FISMA\nreport and agree with the Inspector General\xe2\x80\x99s assessment. Our plan to remediate any outstanding issues\nwill be reflected in our quarterly Plan of Action and Milestones report.\xe2\x80\x9d\n\n\n\n\n                                                                                                     40\n\x0c'